Migrate passwords from shadow to mysql
shwaltz at cabm.rutgers.edu
Tue Feb 3 13:03:22 EST 2004
The more I have thought about it, I do not wish to have my users'
passwords in plaintext anywhere. I have about 250 users with already
encrypted md5 passwords in the shadow file. Is there a utility to migrate
this information the the MySQL mail database?
This will allow me to manage the user accounts with web-cyradm and also
use the MySQL squirrelmail plugin so users can easily change their
I am trying to get a simple secure solution to upgrading from Cyrus Imap
1.6.24 to 2.2. Is there a way to migrate md5 shadow passwords to MySQL
and use them with sasl/pam ? I plan to use auth PLAIN/LOGIN and TLS.
On Fri, 23 Jan 2004, Ken Murchison wrote:
Shelley Waltz wrote:
> Thanks for the very clear instructions on how this works. One thing
> which does not make sense is the removal of the mech_list option
> subsequent to all users in the shadow file having auth'd once. ???
Because once the users are transitioned to the sql database, then you
can use *any* of the available SASL mechs.
> Also, why are the transitioned passwords stored in plaintext in the mysql
The auxprop plugins are designed to *retrieve* the password rather than
just *verify* the password. The plaintext password is needed to support
SASL mechs like CRAM-MD5, DIGEST-MD5, NTLM.
> On Thu, 22 Jan 2004, Ken Murchison wrote:
> Shelley Waltz wrote:
> > Ken, Thanks for the reply.
> > Yes, my new server is RH ES3 with all the most recent versions of
> > Cyrus imap/sasl/postfix/mysql ...
> Which version of SASL? You definitely want 2.1.17.
> > Where do I read about autotransition into the SQL auxprop plugin?
> > Does this mean that after I transition my existing users, I still
> > need to create /etc/shadow entries in order to esatblish new accounts
> > in thge mysql database. I planned to use webcyradm to manage accounts.
> Just read the docs on how to configure the SQL auxprop plugin. Then in
> your imapd.conf file, you'll have options like the following:
> sasl_mech_list: PLAIN LOGIN
> sasl_auto_transition: yes
> sasl_pwcheck_method: auxprop saslauthd
> sasl_auxprop_plugin: sql
> sasl_sql_engine: mysql
> sasl_sql_select: ...
> sasl_sql_insert: ...
> sasl_sql_update: ...
> And you'll need to run:
> saslauthd -a shadow
> This config will limit the server to plaintext authentication which will
> happen against /etc/shadow and then the password will be inserted into
> mysql. The next time the user authenticates, the password will be
> pulled from mysql (given the order of pwcheck_method).
> Once all of your users have authenticated at least once, you can remove
> the mech_list option or add other mechs to the list.
> > On Thu, 22 Jan 2004, Ken Murchison wrote:
> > Shelley Waltz wrote:
> > > I am installing a new postfix-cyrus mail server.
> > > I currently have cyrus-imap 1.6.24 authing PLAIN
> > > from /etc/shadow.
> > >
> > > I wish to migrate the passwords(md5) from the shadow file to
> > > a mysql database and use this to auth PLAIN using TLS.
> > > Is there a script available to do so - to migrate the users
> > > from the shadow file and create the records for mysql authentication?
> > >
> > > I did search, but found nothing.
> > First, I'd strongly suggest that you upgrade to a recent version of
> > Cyrus, either 2.1.16 or 2.2.3. To do this, you'll need a recent version
> > of SASL (I'd suggest 2.1.17). Then, you just configure Cyrus/SASL to
> > authentication plaintext from /etc/shadow and have it autotransition
> > passwords into the SQL auxprop plugin.
More information about the Info-cyrus